From bb2f681a87d7cca620becb832589c7cd0a88168e Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Wed, 29 Jan 2020 16:44:58 +0100
Subject: [PATCH] postfix: add integration of a MTA-STS resolver daemon
---
postfix/defaults/main.yml | 3 ++
postfix/files/mta-sts-daemon.yml | 20 ++++++++
postfix/files/mta-sts-override.conf | 2 +
postfix/files/mta-sts-tmpfiles.conf | 1 +
postfix/handlers/main.yml | 9 ++++
postfix/tasks/main.yml | 2 +
postfix/tasks/mta-sts.yml | 74 +++++++++++++++++++++++++++++
postfix/templates/main.cf.j2 | 3 ++
8 files changed, 114 insertions(+)
create mode 100644 postfix/files/mta-sts-daemon.yml
create mode 100644 postfix/files/mta-sts-override.conf
create mode 100644 postfix/files/mta-sts-tmpfiles.conf
create mode 100644 postfix/tasks/mta-sts.yml
diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml
index 7d3cd45..1b8e12d 100644
--- a/postfix/defaults/main.yml
+++ b/postfix/defaults/main.yml
@@ -43,6 +43,9 @@ postfix_transport_maps: []
# protocol: smtp
# use_mx: true
+# Note: This requires at least buster-backports or newer.
+postfix_enable_mta_sts: false
+
postfix_my_networks: []
postfix_notify_classes: []
postfix_satellite_only: false
diff --git a/postfix/files/mta-sts-daemon.yml b/postfix/files/mta-sts-daemon.yml
new file mode 100644
index 0000000..1e79d6b
--- /dev/null
+++ b/postfix/files/mta-sts-daemon.yml
@@ -0,0 +1,20 @@
+---
+path: "/var/spool/postfix/mta-sts/mta-sts.sock"
+# yamllint disable-line rule:octal-values
+mode: 0666
+# host: 127.0.0.1
+# port: 8461
+reuse_port: true
+cache_grace: 60
+shutdown_timeout: 5
+cache:
+ type: sqlite
+ options:
+ filename: "/var/lib/mta-sts/cache.db"
+default_zone:
+ strict_testing: false
+ timeout: 4
+# zones:
+# myzone:
+# strict_testing: false
+# timeout: 4
diff --git a/postfix/files/mta-sts-override.conf b/postfix/files/mta-sts-override.conf
new file mode 100644
index 0000000..80ca794
--- /dev/null
+++ b/postfix/files/mta-sts-override.conf
@@ -0,0 +1,2 @@
+[Service]
+ReadWritePaths=/var/spool/postfix/mta-sts
diff --git a/postfix/files/mta-sts-tmpfiles.conf b/postfix/files/mta-sts-tmpfiles.conf
new file mode 100644
index 0000000..919c414
--- /dev/null
+++ b/postfix/files/mta-sts-tmpfiles.conf
@@ -0,0 +1 @@
+d /var/spool/postfix/mta-sts 0770 postfix _mta-sts - -
diff --git a/postfix/handlers/main.yml b/postfix/handlers/main.yml
index 5421edf..3e156d7 100644
--- a/postfix/handlers/main.yml
+++ b/postfix/handlers/main.yml
@@ -1,11 +1,20 @@
---
+- name: create tmpfiles
+ command: systemd-tmpfiles --create
+
+- name: reload systemd service files
+ systemd: daemon_reload=true
+
- name: restart postfix
service: name=postfix state=restarted
- name: restart memcached
service: name=memcached state=restarted
+- name: restart mta-sts resolver
+ service: name=postfix-mta-sts-resolver state=restarted
+
- name: postmap system
command: postalias cdb:/etc/aliases
diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml
index e9a0386..fb14d19 100644
--- a/postfix/tasks/main.yml
+++ b/postfix/tasks/main.yml
@@ -78,6 +78,8 @@
- postfix
- mail
+- import_tasks: mta-sts.yml
+
- name: install rt-mailgate if needed
apt:
name: rt4-clients
diff --git a/postfix/tasks/mta-sts.yml b/postfix/tasks/mta-sts.yml
new file mode 100644
index 0000000..7f87546
--- /dev/null
+++ b/postfix/tasks/mta-sts.yml
@@ -0,0 +1,74 @@
+---
+
+- name: ensure we got the MTA-STS resolver software installed
+ apt:
+ state: "{{ 'present' if postfix_enable_mta_sts else 'absent' }}"
+ name: postfix-mta-sts-resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (tmpfiles)
+ copy:
+ src: mta-sts-tmpfiles.conf
+ dest: /etc/tmpfiles.d/mta-sts.conf
+ owner: root
+ group: root
+ mode: '0644'
+ when: postfix_enable_mta_sts
+ notify:
+ - create tmpfiles
+ - restart mta-sts resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (overrideable)
+ file:
+ state: directory
+ path: /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+ owner: root
+ group: root
+ mode: '0755'
+ when: postfix_enable_mta_sts
+ notify:
+ - reload systemd service files
+ - restart mta-sts resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (service)
+ copy:
+ src: mta-sts-override.conf
+ dest: /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+ owner: root
+ group: root
+ mode: '0644'
+ when: postfix_enable_mta_sts
+ notify:
+ - reload systemd service files
+ - restart mta-sts resolver
+
+- name: ensure MTA-STS resolver overrides are deconfigured when disabled
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+ - /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+ - /etc/tmpfiles.d/mta-sts.conf
+ when: not postfix_enable_mta_sts
+ notify:
+ - reload systemd service files
+
+- name: ensure the MTA-STS resolver is configured
+ copy:
+ src: mta-sts-daemon.yml
+ dest: /etc/mta-sts-daemon.yml
+ owner: root
+ group: root
+ mode: '0644'
+ when: postfix_enable_mta_sts
+ notify:
+ - restart mta-sts resolver
+
+- name: ensure the MTA-STS resolver is up and running
+ service:
+ name: postfix-mta-sts-resolver
+ enabled: "{{ postfix_enable_mta_sts|string }}"
+ state: "{{ 'started' if postfix_enable_mta_sts else 'stopped' }}"
diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2
index 76028f2..784102c 100644
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -55,6 +55,9 @@ smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+{% if postfix_enable_mta_sts %}
+smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix
+{% endif %}
{% if not postfix_satellite_only %}
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
--
GitLab